Activity Feed
- Got Karma for Removing certain results from reports. 03-03-2022 07:42 AM
- Got Karma for Re: Removing certain results from reports. 03-03-2022 07:41 AM
- Karma Re: The lookup table 'wmi_version_range_lookup' does not exist. It is referenced by configuration 'WMI:Version'. for Masa. 06-05-2020 12:46 AM
- Got Karma for Splunk not indexing data. 06-05-2020 12:46 AM
- Got Karma for Removing certain results from reports. 06-05-2020 12:46 AM
- Karma Re: What are the default sourcetypes and how are they determined? for hulahoop. 06-05-2020 12:45 AM
- Karma Re: How to Reset the Admin password? for matt. 06-05-2020 12:45 AM
- Karma Re: Autostart Splunk on boot for the_wolverine. 06-05-2020 12:45 AM
- Karma Re: Splunk Chart Percent for mw. 06-05-2020 12:45 AM
- Posted Vertical Scrollbar on Dashboards & Visualizations. 04-12-2012 01:42 PM
- Tagged Vertical Scrollbar on Dashboards & Visualizations. 04-12-2012 01:42 PM
- Posted Re: XML Field extraction on Dashboards & Visualizations. 04-11-2012 06:46 AM
- Posted Re: XML Field extraction on Dashboards & Visualizations. 04-10-2012 11:18 AM
- Posted Re: XML Field extraction on Dashboards & Visualizations. 04-10-2012 10:19 AM
- Posted XML Field extraction on Dashboards & Visualizations. 04-10-2012 07:53 AM
- Tagged XML Field extraction on Dashboards & Visualizations. 04-10-2012 07:53 AM
- Tagged XML Field extraction on Dashboards & Visualizations. 04-10-2012 07:53 AM
- Posted Re: XML Reports on Dashboards & Visualizations. 04-04-2012 07:59 AM
- Posted XML Reports on Dashboards & Visualizations. 04-02-2012 08:14 AM
- Tagged XML Reports on Dashboards & Visualizations. 04-02-2012 08:14 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 |
04-12-2012
01:42 PM
I have a dashboard on which I have a large amount of data. It doesn't fit in one panel of the dashboard, is there an option of having a vertical scrollbar? I didn't find any documentation around this.
Thanks!
... View more
- Tags:
- scrollbar
04-11-2012
06:46 AM
Kristian: Thank you very much for your help. Yours is the first solution that worked for me. Really appreciate all the help. Thank you!
... View more
04-10-2012
11:18 AM
Thanks Kristian! That worked like a charm. Can you also tell me how I can do the same thing while maintaining the level of nesting in xml? The reports I have are about 200 lines and deeply nested, do you have any suggestions on how I can extract fields so they make sense in their context?
For example, in the XML above, one host(192.168.X.Y) can have level high while another host(192.168.X.X) can have level low. Will be able to extract such context sensitive information?
... View more
04-10-2012
07:53 AM
I'm trying to extract XML fields from a report which is about 70-80 lines (maybe more). I receive the whole report as a single event because breaking it would make the report lose its meaning. I have been researching and trying out various means of field extraction for this report but nothing has worked out so far. If anyone can help me out with this, it'd be great.
I tried xmlkv, spath, xpath, manual regex field extraction. When I try manual field extraction or xmklkv, it matches only the last occurence of the tag. For example, consider the following code sample:
192.168.X.X
netsaint (5666/tcp)
High
192.168.X.X
ssh (22/tcp)
Low
When I use regex for field extraction or when I use xmlkv for say field level, I get only the last value (Low). Also, spath by default extracts fields from the first 5000 characters and I understand this can be changed in limits.conf, but I don't know how many characters my report would contain, so I dont know what I should set the value to. When I try spath like so:
whatever_search|spath output=host path=objects.object.ip|top host
the field host contains the whole xml report and not just the field I'm looking for. Can someone please suggest some alternative/solution to this? I have no option but using XML for this.
... View more
04-04-2012
07:59 AM
Ok, thank you for the quick response. I tried using spath like this,
whatever_search | spath output=scan_end path=report.report.scan_end
The XML format:
...
Sat Mar 31 21:16:59 2012
So the scan_end field should contain "Sat Mar 31 21:16:59 2012", correct? But I don't see that field at all. Am I missing something?
... View more
04-02-2012
08:14 AM
I am trying to parse XML reports (that I receive from OpenVas) in Splunk.But I am not able to find the right way to do it. I haven't found much documentation around this either. I've read up on whatever I could find, but nothing helped. I've tried xmlkv and xpath commands to try and parse the XML. But I am at a complete loss because these reports are really big and its difficult to find a correlation between the fields. I've been trying to figure this out for a couple of months but I haven't come up with a good solution so far. Also because some of the fields are deeply nested, its getting complicated to extract these fields keeping the structure intact. Is it a good idea to still attempt to parse these fields or should I consider changing the report format? As much as possible, I'd like to avoid that. I'm receiving this report on a port as a single event (meaning, the complete report of about 100 lines is indexed as a single event in Splunk).
Any help on this will be greatly appreciated. I can provide a sample of the file if it is necessary.
Thank you.
... View more
- Tags:
- xml
02-22-2012
09:23 AM
This was my bad. I apologize, this is a syslog issue. Thanks so much for your help.
... View more
02-07-2012
02:22 PM
1 Karma
I have a Splunk indexer which hasn't been indexing logs from the past 3-4 days. I'm trying to troubleshoot and have gone through the usual checklist of items that I found by researching splunkbase. The most common reason, of course is disk being full. I have over 50% of the disk free. Second, I haven't configured my indexer as a forwarder. All the logs that I'm indexing are on the same box as the indexer. After reviewing splunkd.log, these are the only two things that stood out-
02-04-2012 10:58:48.643 WARN DateParserVerbose - The TIME_FORMAT specified is matching timestamps (Mon Oct 29 09:24:24 2012) outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE.
So just to debug the issue, in props.conf, I set:
MAX_DAYS_HENCE=2000
MAX_DAYS_AGO=10951
(And restarted Splunk) because I thought Splunk was trying to index logs in the future.
That didn't work either.
This the other error message:
02-06-2012 05:11:34.353 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying...
02-06-2012 05:11:34.353 INFO TailingProcessor - ...continuing.
Could someone please tell me firstly, does the DateParserVerbose Warning have anything to do with Splunk not indexing data AT ALL? Secondly, please tell me how I can resolve this.
Any help will be appreciated. Thank you.
... View more
- Tags:
- indexing
01-17-2012
12:53 PM
I want to monitor a directory that resides on another machine which has a Splunk forwarder on it. There is one specific directory which needs to be monitored and I cannot find the proper documentation which points me towards it. Can someone please tell me how to do this via the GUI and the config files?
... View more
- Tags:
- forwarding
11-02-2011
07:54 AM
Hi,
Is there a way I can make my Splunk app a standalone app as opposed to opening the browser and selecting my app from the menu? I want to have a logo and a splash screen for my app. I have just a few dashboards for now.
... View more
09-19-2011
02:34 PM
I want to create report for events whose field names haven't been extracted. I have SSH logs of the format "Accepted publickey for user XYZ" , "Accepted publickey for user ABC" and so on. I want to collect statistics for XYZ and other users. When I test an extraction, I get a javascript error on page which says invalid argument. Even if I save a field extraction, I'm not able to use it in my search. Can someone please tell me how to go about it?
... View more
- Tags:
- extraction
09-19-2011
12:31 PM
Is there no other way to do this? I'm a new user to Splunk and I don't know how to do this. I guess I'll read up first.
... View more
09-19-2011
11:42 AM
1 Karma
Exactly what I was trying to explain, I cannot use the NOT operator because then it would not even show me logins of B, C and D. Every record of the log has 2 values for Account Name. One is the server's name and the other is the user's name. I don't want to see the server's name in the chart. In the example I have provided, A is the server name and B, C, D are the user names.
... View more
09-19-2011
08:49 AM
2 Karma
I'm attempting to extract statistics of user logins from a custom log format and create a bar chart. I have users A, B, C and D. The log format looks something like this.
1.Account Name: A
Account Domain: some_domain
**Account Name: B
Account Domain: some_domain
2.Account Name: A
Account Domain: some_domain
**Account Name: C
Account Domain: some_domain
Basically I have user A appearing in every search result. As a result, my chart shows A as having the highest number of logins and because it occurs for every user, I cannot use NOT and remove that username from the search. It would show me 0 results.
Can someone tell me a way I can remove just user A from my chart? I want to see logins from every other user except A in my chart. I'm new to Splunk and I have no idea on how to do this.
... View more
- Tags:
- charts
